Privacy & Cookies

Self Directed Support Scotland Privacy Notice

The GDPR or the EU General Data Protection Regulation is a new data privacy law effective from May 25, 2018

This legislation gives more rights to you as an individual and more obligations to European Union organisations holding your personal data including Self Directed Support Scotland (SDSS). Personal data is any information which might identify you such as your name, location or online identifiers such as an email address or social media name.

One of the rights is the right to be informed, which means we must give you information about the way in which we might use, share and store any personal information we may hold on you, the legal basis on which we are using it and how you can contact us.

Use of Data Processors

SDSS is a data controller because we determine the purpose and means of processing personal data, for example we may take an enquiry you might have about Self Directed Support or social care and determine what details should be recorded to ensure we best manage your enquiry. We may also use a number of services to process this data, for example to collect it using an online form and to manage it in a database, and we must ensure these services comply with the GDPR.The services we use are described below.

Legal basis for processing your Personal Data

The legal grounds for us processing your Personal Data will typically be because

  • you provided your consent, for example if you subscribe to our newsletter;
  • it is necessary for our contractual relationship, for example if you are a worker at a member organisation that has a membership agreement;
  • you give this within a telephone call;
  • the processing is necessary for us to comply with our legal or regulatory obligations, for example if you apply for a job with us; and/or
  • the processing is in our legitimate interest as a provider of SDS information and resources (for example, if you work in a related field such as social work or for an emerging SDS support service – See our legitimate interests

In all instances we aim to hold only what data is needed to effectively operate our service to you and our stakeholders and we carry out audits and operate a Retention Policy to ensure all data is securely deleted if no longer required.

How we use your information

This privacy notice tells you what to expect when Self Directed Support Scotland (SDSS) collects personal information. It applies to information we collect about:

Visitors to our websites

When someone visits we use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it. For example, if you contact us through our website forms, the forms will direct you as to what information is needed to progress your query. Queries are often best managed by our member organisations or specific service providers, so we might ask if you are happy for your details to be referred to a service provider. See also People who raise an issue with us.

Use of cookies by SDSS


People who contact us via social media

We use a third-party provider, Hootsuite to manage our social media interactions on Facebook, Twitter and Linkedin.

If you send us a private or direct message via the social media channels above the message may be stored for up to three months. It will not be shared with any other organisations without your consent. If an enquiry or issue is raised in the message, the message will be logged in our Salesforce database and the processes outlined in People who raise an issue with us commenced.

People who contact us by telephone

When you call SDSS by telephone we log the call in our SDSS database. We use this information to help improve effectiveness of our organisation and data is processed in our Salesforce database subject to the same policy as enquiries to our website. As for a website query, we may request personal information using an online form (see Monitoring).

We also offers a translation service for customers when English is not their first language, this is provided by a third parties based on the language and availability of a translator. This service does not retain any information from the calls or record them.

People who email us

We use Transport Layer Security (TLS) to encrypt and protect email traffic. If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit. Email enquiries are logged in our Salesforce database and deleted from our email client in line with our Retention Policy.

We will also monitor any emails sent to us, including file attachments, for viruses or malicious software.

People who make a query or raise an issue with us

When we receive a query from a person we make up a case file containing the details of the issue. This normally contains the identity of the person and any other individuals involved.

We will only use the personal information we collect to process the issue and to check on the level of service we or our member organisations provide. We do compile and publish statistics showing information like the number of queries we receive, but not in a form which identifies anyone.

To resolve the issue, we may have to disclose the person’s identity and certain details to a support organisation. If the person doesn’t want information identifying them to be disclosed, we will respect that and will discuss with the person the way of taking the issue forward.

We will keep personal information contained in case files in line with our Retention Policy. This means that information relating to an issue will be retained for two years from closure. It will be retained securely in our database and access to it will be restricted according to the ‘need to know’ principle.

Similarly, where enquiries are submitted to us we will only use the information supplied to deal with the enquiry and any subsequent issues and to check on the level of service we provide.

People we Survey

From time to time we do public surveys and consultations.  Many of these are anonymous, but in the cases where they aren’t we seek consent to collect data and we do not make any questions mandatory.  Because of the nature of our work we ensure that and survey or consultation reporting is anonymous and to the best of our ability we crosscheck and remove any data that could identify people in the event that it is inadvertently supplied. Retention of survey data follows best practice and data is usually deleted after reporting has been peer reviewed and is published.

People who use SDSS services

The public

Along with member services SDSS offers various services to the public, for example signposting and training, along with consultations and support access digital content by telephone.

We have to hold the details of the people who have requested the service in order to effectively provide the service. However, we only use these details to provide the service the person has requested and for other closely related purposes. For example, we might use information about people who have attended training to carry out a survey to find out what impact the training had or if they may be interested in further training. When people do subscribe to our services, they can cancel their subscription at any time and are given an easy way of doing this.

Member and support organisations

We store information for key contacts from our member and other support organisations and store them on our database. Of these contacts, those that are identified as “SDS Lead” contacts or public facing contacts are made available appropriately to the public via signposting through our website or by telephone. Those contacts are reviewed annually through the member application process for members or by annual data review processes of our subscription lists.

Equalities Monitoring

SDSS may request personal information such as protected characteristics as defined by the Equality Act 2010 for the purpose of monitoring the implementation of Self Directed Support and helping to ensure support is fairly accessed. This data is usually requested if you make an enquiry with us and it is processed separately to the enquiry to create reports on data trends and ensure anonymity.

SDSS Legitimate Interests

The purpose of SDSS is to successfully embed the principles and practises of the Social Care (Self-directed Support)(Scotland) Act of 2013 and to promote Independent Living by supporting and championing Disabled Peoples Organisations. We have a legitimate interest in people and organisations who can further this purpose and those that need our support to increase opportunity and improve wellbeing for others.

Organisations of legitimate interest and the people who work for them

In seeking to inform and influence decision makers and people who work within social care, SDSS will use and keep publicly available information for the purpose of communication on our database. We also keep records of activity, affiliations and contact preferences to ensure we contact appropriately and maintain good working relationships. These contacts include those formerly from membership or lapsed membership organisations.

People of legitimate interest

Individuals who engage with SDSS are often professionals or influencers in social care or have complex issues to resolve in collaboration with our membership or other stakeholder organisations. In line with our Retention Policy, contact and activity data on these individuals is maintained for a period after campaign or case resolution for continuity, follow up or maintaining a case history to support future action.

Job applicants, volunteers, current and former SDSS employees

SDSS is the data controller for the information you provide during the application process. If you have any queries about the process or how we handle your information, please contact us.

What will we do with the information you provide to us?

All of the information you provide during the process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.

We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes or store any of your information outside of the European Economic Area. The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.

We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for. 

What information do we ask for, and why?

We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.

The information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask but it might affect your application if you don’t. 

Application stage

If you use our online application system, this will be collected by a data processor BreatheHR on our behalf, please see Use of HR data processors . If you apply by email, please be aware of email security issues as outlined above

We ask you for your personal details including name and contact details. We will also ask you about your previous experience, education, referees and for answers to questions relevant to the role you have applied for. Our recruitment team will have access to all of this information.

You will also be asked to provide equal opportunities information. This is not mandatory information – if you do not provide it, it will not affect your application. This information will not be made available to any staff, including the interview panel, in a way which can identify you. Any information you do provide, will be used only to produce and monitor equal opportunities statistics.


An appropriately appointed HR subgroup will shortlist applications for interview. They will not be provided with your name or contact details or with your equal opportunities information if you have provided it.

Interview and assessments

We might ask you to attend an interview and/or complete an assessment activity like a presentation. We might take interview notes and this information is held by SDSS and is only accessible to the HR subgroup.

If you are unsuccessful following assessment for the position you have applied for, we may ask if you would like your details to be retained in our talent pool for a period of six months. If you say yes, we would proactively contact you should any further suitable vacancies arise.

Conditional offer

If we make a conditional offer of employment we will ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We are required to confirm the identity of our staff, their right to work in the United Kingdom and seek assurance as to their trustworthiness, integrity and reliability.

You will therefore be required to provide:

    • Proof of your identity – you will be asked to attend our office with original documents, we will take copies;
    • Proof of your qualifications – you will be asked to attend our office with original documents, we will take copies;
    • You will be asked to complete a criminal records declaration to declare any unspent convictions;
    • If the role requires, we will ask you to submit an application to the Protecting Vulnerable Groups scheme processed by Volunteer Scotland.
    • We will contact your referees, using the details you provide in your application, directly to obtain references;
    • We will also ask if you require any reasonable adjustments or encourage to apply for a workplace assessment if you feel you need it to access support for carrying out your role.

If we make a final offer, we will also ask you for the following:

  • Bank details – to process salary payments;
  • Emergency contact details – so we know who to contact in case you have an emergency at work.

Post start date

We will ask you about membership of a pension scheme – so we can auto-enrol you with the company provider and organise independent pensions advice if necessary.

Use of HR data processors 

Data processors are third parties who provide elements of our recruitment service for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.


If you accept a final offer from us, your personnel records will be held on BreatheHR which is an internally used HR records system. Please see BreatheHR’s security and reliability notice.

LCiL Payroll

If you are employed by SDSS, relevant details about you will be provided to the Lothian Centre for Inclusive Living (LCiL) who provide payroll services to SDSS. This will include your name, bank details, address, date of birth, National Insurance Number and salary.


Likewise, your details will be provided to Aegon who are the administrators of our Pension Scheme. You will be auto-enrolled into the pension scheme and details provided to Aegon will be your name, date of birth, National Insurance number and salary.

Navigator Employment Law

On being employed or applying to SDSS, relevant details about you may be provided to Navigator HR Services to resolve any HR issues arising from employment or the employment process.

Volunteer Scotland

If required for the role, you will be asked to submit information to Volunteer Scotland who are our agents for the purposes of the Protection of Vulnerable Groups scheme. You can find out more about their disclosure service here.

Access to Work

If we make you a conditional offer, we will ask if you need a workplace assessment to ensure you are properly supported to carry out your role. This process is managed by yourself, see details here where you can also find out about reasonable adjustments we will make so that you are not disadvantaged.

How long is the information retained for?

If you are successful, the information you provide during the application process will be retained by us as part of your employee file for the duration of your employment plus 6 years following the end of your employment. This includes your application, criminal records declaration, application and performance notes, records of any security checks and references. After 6 years, all but a record of your employment or volunteer role and your period of service are deleted.

If you are unsuccessful at any stage of the process, the information you have provided until that point will be retained for 6 months from the closure of the campaign.

Information generated throughout the assessment process, for example interview notes, is retained by us for 6 months following the closure of the campaign.

Equal opportunities information is retained for 6 months following the closure of the campaign whether you are successful or not.

How we make decisions about recruitment?

Final recruitment decisions are made by the HR subgroup assigned which typically includes at least one member of our management committee. All of the information gathered during the application process is taken into account.

You are able to ask about decisions made about your application by speaking to or by emailing your designated contact on the application notes.

Your rights

Under the GDPR, you have rights as an individual which you can exercise in relation to the information we hold about you. You can for example request that we rectify, restrict or delete your personal data and unsubscribe you from communications.

You can read more about these rights here

Complaints or queries about personal data

SDSS tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

This privacy notice was drafted with transparency and clarity in mind. It does not provide exhaustive detail of all aspects of SDSS’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.

If you want to make a complaint about the way we have processed your personal information, you can contact us, or the statutory body which oversees data protection law –

Access to personal information

SDSS tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information about you by making a ‘subject access request’ under the GDPR. If we do hold information about you we will:

  • give you a description of it;
  • tell you why we are holding it;
  • tell you who it could be disclosed to; and
  • let you have a copy of this information in form that is intelligible to you.

To make a request to SDSS for any personal information we may hold you can ask any employee verbally or in writing, through any means, or using the contact details below. To protect your information, we will be required to confirm you are the legitimate subject of the request and this may involve asking you to provide details which should be known to both parties, for example combinations of a telephone number, address and the topic or description of recent activity with us.

If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.

If we hold any out of date or incorrect information about you, you can ask us to correct any mistakes.

Requests to exercise data protection rights

Please note that requests to exercise data protection rights will be assessed by us on a case-by-case basis. There may be circumstances where we are not legally required to comply with your request because of exemptions provided for in data protection legislation.

Data Processors used by SDSS


Aside from the specific 3rd party data processing tools listed below, all personal data held by SDSS for processing is contained in a custom Salesforce database which is utilised only by trained and authorised SDSS employees. Technical staff of contracted integrated applications such as Campaign Monitor and Form Titan listed below or Salesforce itself may access limited or administrational areas when required for troubleshooting SDSS utilises Salesforce to better manage and contain personal data, for example to ensure subscription preferences and to ensure data is only held as long as is required. Salesforce has detailed Trust and Compliance documents available here.

Form Titan

Our website search and query form is powered by Form Titan. Search queries and results are logged anonymously to help us improve our website and search functionality. No user-specific data is collected by either SDSS or any third party unless we request it explicitly for example to better signpost or manage a query. For more information, please see Form Titan’s compliance notice. Personal information collected by our query forms is held in our Salesforce database for processing by SDSS, or in the event you specifically request it, passed to a trusted support organisation or local authority. Only enough information is collected and passed to manage your query effectively.

Campaign Monitor

We use a third-party provider, Campaign Monitor, to deliver our monthly e-newsletters and member bulletins. We gather statistics around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve our e-newsletter. For more information, please see Campaign Monitor’s privacy notice.

Accessible Website Design Glasgow

SDSS uses a third-party service to help maintain the security, performance and accessibility of the SDSS website. An SSL (https) certificate is provided to ensure data transferred via our forms is done so securely. Please see information about Accessible Website Design Glasgow.

Xero and the Co-operative Bank

SDSS uses a book-keeping service called Xero to process our financial data which will include personal data like names, addresses and bank account details of suppliers, staff and SDSS service users for the purpose of making and receiving payments. Xero has a detailed privacy policy here. Some of this information, for example names and account details are transferred to our online banking service as needed to make payments.


SDSS uses the online service Eventbrite to manage ticketing for major events and we may collect personal data like delegate accessibility needs, travel arrangements or dietary requirements to ensure we are being inclusive in our event provision and billing information if applicable may be collected e.g. how tickets were paid for. The Eventbrite privacy policy can be found here. Some delegate communications may be handled by Eventbrite but delegate contact and work details are transferred to Salesforce and Campaign Monitor to maintain communication regarding evaluation and future events and once an event is run, all other data is purged.


We contract communications agency Electrify to do public campaigns and work like focus groups, their details can be found here. In this role they may process information on our behalf using a tool called Jotform.

Disclosure of personal information

We will not disclose personal data without consent unless required to by law. However, when we investigate an issue raised with us for example, we may need to share personal information with the organisation concerned and with other relevant bodies to reach a resolution. We will pass personal information to service providers where this has been requested by you for referral or signposting purposes.

You can also get further information in our Data Protection Policy on:

  • agreements we have with other organisations for sharing information;
  • circumstances where we can pass on personal data without consent for example, to prevent and detect crime and to produce anonymised statistics;
  • our instructions to staff on how to collect, use and delete personal data; and
  • how we check that the information we hold is accurate and up to date.

Links to other websites

This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated on 24 May 2018.

How to contact us

If you want to request information about our privacy policy, make a subject access request or complaint you can telephone, email us or write to:

Data Protection Lead
Self Directed Support Scotland
Norton House
57 Albion Road

Edinburgh EH7 5EQ

Telephone 0131 475 2626